Iraqi government networks have recently faced a cyber attack campaign by the Iran state-sponsored threat actor OilRig [3], also known as APT34 or Crambus [1].
Description
This attack, uncovered by Check Point Research [2], revealed the use of two new malware families, Veaty and Spearal [1] [2] [3], disguised as safe documents in fake emails [1]. Veaty establishes connections with command-and-control email servers using various methods [2], while Spearal shares tactics with malware families affiliated with the Iranian Ministry of Intelligence and Security [2]. The attacks targeted organizations such as the Prime Minister’s Office and the Ministry of Foreign Affairs [3]. OilRig [1] [3], known for conducting phishing attacks in the Middle East [3], has used custom backdoors like Karkoff [3], Shark [3], and Marlin for information theft [3]. The latest campaign involves new malware families called Veaty and Spearal [3], capable of executing PowerShell commands and harvesting files [3]. The campaign utilizes unique command-and-control mechanisms [3], including a custom DNS tunneling protocol and an email-based C2 channel using compromised email accounts within the targeted organization [3]. Additionally, a new malware variant [2], CacheHttp.dll [2], has been identified targeting the same entities in Iraq [2]. Check Point’s security solutions provide robust defense against advanced malware [2], with multi-layered protection to prevent attacks [2].
Conclusion
The cyber attack campaign by OilRig on Iraqi government networks highlights the need for enhanced cybersecurity measures to protect sensitive information and infrastructure. Organizations must remain vigilant against evolving threats and implement comprehensive security solutions to mitigate risks. The use of new malware families and sophisticated command-and-control mechanisms underscores the importance of continuous monitoring and proactive defense strategies to safeguard against future attacks.
References
[1] https://hackyourmom.com/en/novyny/iranska-grupa-oilrig-atakuye-uryad-iraku-vykorystovuyuchy-novi-vydy-shkidlyvogo-pz/
[2] https://blog.checkpoint.com/research/the-unraveling-of-an-iranian-cyber-attack-against-the-iraqi-government/
[3] https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html
